From 143b39c1855f8a22f474f20354ee5ee5d2f4d266 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfrost@snowman.net>
Date: Thu, 27 Nov 2014 01:06:36 -0500
Subject: Rename pg_rowsecurity -> pg_policy and other fixes

As pointed out by Robert, we should really have named pg_rowsecurity
pg_policy, as the objects stored in that catalog are policies.  This
patch fixes that and updates the column names to start with 'pol' to
match the new catalog name.

The security consideration for COPY with row level security, also
pointed out by Robert, has also been addressed by remembering and
re-checking the OID of the relation initially referenced during COPY
processing, to make sure it hasn't changed under us by the time we
finish planning out the query which has been built.

Robert and Alvaro also commented on missing OCLASS and OBJECT entries
for POLICY (formerly ROWSECURITY or POLICY, depending) in various
places.  This patch fixes that too, which also happens to add the
ability to COMMENT on policies.

In passing, attempt to improve the consistency of messages, comments,
and documentation as well.  This removes various incarnations of
'row-security', 'row-level security', 'Row-security', etc, in favor
of 'policy', 'row level security' or 'row_security' as appropriate.

Happy Thanksgiving!
---
 doc/src/sgml/catalogs.sgml          | 44 ++++++++++++++++-----------------
 doc/src/sgml/ddl.sgml               |  4 +--
 doc/src/sgml/ref/alter_policy.sgml  |  4 +--
 doc/src/sgml/ref/create_policy.sgml | 49 ++++++++++++++++++-------------------
 doc/src/sgml/ref/drop_policy.sgml   | 16 ++++++------
 doc/src/sgml/rules.sgml             |  2 +-
 6 files changed, 59 insertions(+), 60 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index f98e282741f..9ceb96b54c7 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -239,8 +239,8 @@
      </row>
 
      <row>
-      <entry><link linkend="catalog-pg-rowsecurity"><structname>pg_rowsecurity</structname></link></entry>
-      <entry>table row-level security policies</entry>
+      <entry><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link></entry>
+      <entry>table policies</entry>
      </row>
 
      <row>
@@ -1944,8 +1944,8 @@
       <entry><type>bool</type></entry>
       <entry></entry>
       <entry>
-       True if table has row-security enabled; see
-       <link linkend="catalog-pg-rowsecurity"><structname>pg_rowsecurity</structname></link> catalog
+       True if table has row level security enabled; see
+       <link linkend="catalog-pg-policy"><structname>pg_policy</structname></link> catalog
       </entry>
      </row>
 
@@ -5342,15 +5342,15 @@
   </table>
  </sect1>
 
- <sect1 id="catalog-pg-rowsecurity">
-  <title><structname>pg_rowsecurity</structname></title>
+ <sect1 id="catalog-pg-policy">
+  <title><structname>pg_policy</structname></title>
 
-  <indexterm zone="catalog-pg-rowsecurity">
-   <primary>pg_rowsecurity</primary>
+  <indexterm zone="catalog-pg-policy">
+   <primary>pg_policy</primary>
   </indexterm>
 
   <para>
-   The catalog <structname>pg_rowsecurity</structname> stores row-level
+   The catalog <structname>pg_policy</structname> stores row-level
    security policies for each table.  A policy includes the kind of
    command which it applies to (or all commands), the roles which it
    applies to, the expression to be added as a security-barrier
@@ -5361,7 +5361,7 @@
 
   <table>
 
-   <title><structname>pg_rowsecurity</structname> Columns</title>
+   <title><structname>pg_policy</structname> Columns</title>
 
    <tgroup cols="4">
     <thead>
@@ -5375,42 +5375,42 @@
 
     <tbody>
      <row>
-      <entry><structfield>rsecpolname</structfield></entry>
+      <entry><structfield>polname</structfield></entry>
       <entry><type>name</type></entry>
       <entry></entry>
-      <entry>The name of the row-security policy</entry>
+      <entry>The name of the policy</entry>
      </row>
 
      <row>
-      <entry><structfield>rsecrelid</structfield></entry>
+      <entry><structfield>polrelid</structfield></entry>
       <entry><type>oid</type></entry>
       <entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
-      <entry>The table to which the row-security policy belongs</entry>
+      <entry>The table to which the policy belongs</entry>
      </row>
 
      <row>
-      <entry><structfield>rseccmd</structfield></entry>
+      <entry><structfield>polcmd</structfield></entry>
       <entry><type>char</type></entry>
       <entry></entry>
-      <entry>The command type to which the row-security policy is applied.</entry>
+      <entry>The command type to which the policy is applied.</entry>
      </row>
 
      <row>
-      <entry><structfield>rsecroles</structfield></entry>
+      <entry><structfield>polroles</structfield></entry>
       <entry><type>char</type></entry>
       <entry></entry>
-      <entry>The roles to which the row-security policy is applied.</entry>
+      <entry>The roles to which the policy is applied.</entry>
      </row>
 
      <row>
-      <entry><structfield>rsecqual</structfield></entry>
+      <entry><structfield>polqual</structfield></entry>
       <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>The expression tree to be added to the security barrier qualifications for queries which use the table.</entry>
      </row>
 
      <row>
-      <entry><structfield>rsecwithcheck</structfield></entry>
+      <entry><structfield>polwithcheck</structfield></entry>
       <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>The expression tree to be added to the with check qualifications for queries which attempt to add rows to the table.</entry>
@@ -5423,8 +5423,8 @@
   <note>
    <para>
     <literal>pg_class.relrowsecurity</literal>
-    True if the table has row-security enabled.  Policies will not be applied
-    unless row-security is enabled on the table.
+    True if the table has row security enabled.  Policies will not be applied
+    unless row security is enabled on the table.
    </para>
   </note>
 
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index f9dc151a0cc..570a003e4a9 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1558,8 +1558,8 @@ REVOKE ALL ON accounts FROM PUBLIC;
 
   <para>
    To specify which rows are visible and what rows can be added to the
-   table with row security, an expression is required which returns a
-   boolean result.  This expression will be evaluated for each row prior
+   table with row level security, an expression is required which returns
+   a boolean result.  This expression will be evaluated for each row prior
    to other conditionals or functions which are part of the query.  The
    one exception to this rule are <literal>leakproof</literal> functions,
    which are guaranteed to not leak information.  Two expressions may be
diff --git a/doc/src/sgml/ref/alter_policy.sgml b/doc/src/sgml/ref/alter_policy.sgml
index ab717f31c51..796035e9da9 100644
--- a/doc/src/sgml/ref/alter_policy.sgml
+++ b/doc/src/sgml/ref/alter_policy.sgml
@@ -16,7 +16,7 @@ PostgreSQL documentation
 
  <refnamediv>
   <refname>ALTER POLICY</refname>
-  <refpurpose>change the definition of a row-security policy</refpurpose>
+  <refpurpose>change the definition of a policy</refpurpose>
  </refnamediv>
 
  <refsynopsisdiv>
@@ -34,7 +34,7 @@ ALTER POLICY <replaceable class="parameter">name</replaceable> ON <replaceable c
 
   <para>
    <command>ALTER POLICY</command> changes the <replaceable class="parameter">
-   definition</replaceable> of an existing row-security policy.
+   definition</replaceable> of an existing policy.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_policy.sgml b/doc/src/sgml/ref/create_policy.sgml
index eff062c114f..4c8c0019313 100644
--- a/doc/src/sgml/ref/create_policy.sgml
+++ b/doc/src/sgml/ref/create_policy.sgml
@@ -16,7 +16,7 @@ PostgreSQL documentation
 
  <refnamediv>
   <refname>CREATE POLICY</refname>
-  <refpurpose>define a new row-security policy for a table</refpurpose>
+  <refpurpose>define a new policy for a table</refpurpose>
  </refnamediv>
 
  <refsynopsisdiv>
@@ -33,14 +33,13 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
   <title>Description</title>
 
   <para>
-   The <command>CREATE POLICY</command> command defines a new row-security
-   policy for a table.  Note that row-security must also be enabled on the
-   table using <command>ALTER TABLE</command> in order for created policies
-   to be applied.
+   The <command>CREATE POLICY</command> command defines a new policy for a
+   table.  Note that row level security must also be enabled on the table using
+   <command>ALTER TABLE</command> in order for created policies to be applied.
   </para>
 
   <para>
-   A row-security policy is an expression which is added to the security-barrier
+   A policy is an expression which is added to the security-barrier
    qualifications of queries which are run against the table the policy is on,
    or an expression which is added to the with-check options for a table and
    which is applied to rows which would be added to the table.
@@ -49,7 +48,7 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
    expression will be evaluated against the rows which are going to be added to
    the table.  By adding policies to a table, a user can limit the rows which a
    given user can select, insert, update, or delete.  This capability is also
-   known as Row-Level Security or RLS.
+   known as Row Level Security or RLS.
   </para>
 
   <para>
@@ -66,22 +65,22 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
   </para>
 
   <para>
-   Note that while row-security policies will be applied for explicit queries
-   against tables in the system, they are not applied when the system is
-   performing internal referential integrity checks or validating constraints.
-   This means there are indirect ways to determine that a given value exists.
-   An example of this is attempting to insert a duplicate value
-   into a column which is the primary key or has a unique constraint.  If the
-   insert fails then the user can infer that the value already exists (this
-   example assumes that the user is permitted by policy to insert
-   records which they are not allowed to see).  Another example is where a user
-   is allowed to insert into a table which references another, otherwise hidden
-   table.  Existence can be determined by the user inserting values into the
-   referencing table, where success would indicate that the value exists in the
-   referenced table.  These issues can be addressed by carefully crafting
-   policies which prevent users from being able to insert, delete, or update
-   records at all which might possibly indicate a value they are not otherwise
-   able to see, or by using generated values (e.g.: surrogate keys) instead.
+   Note that while policies will be applied for explicit queries against tables
+   in the system, they are not applied when the system is performing internal
+   referential integrity checks or validating constraints.  This means there are
+   indirect ways to determine that a given value exists.  An example of this is
+   attempting to insert a duplicate value into a column which is the primary key
+   or has a unique constraint.  If the insert fails then the user can infer that
+   the value already exists (this example assumes that the user is permitted by
+   policy to insert records which they are not allowed to see).  Another example
+   is where a user is allowed to insert into a table which references another,
+   otherwise hidden table.  Existence can be determined by the user inserting
+   values into the referencing table, where success would indicate that the
+   value exists in the referenced table.  These issues can be addressed by
+   carefully crafting policies which prevent users from being able to insert,
+   delete, or update records at all which might possibly indicate a value they
+   are not otherwise able to see, or by using generated values (e.g.: surrogate
+   keys) instead.
   </para>
 
   <para>
@@ -291,8 +290,8 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
 
   <para>
    In order to maintain <firstterm>referential integrity</firstterm> between
-   two related tables, row-security policies are not applied when the system
-   performs checks on foreign key constraints.
+   two related tables, policies are not applied when the system performs
+   checks on foreign key constraints.
   </para>
 
  </refsect1>
diff --git a/doc/src/sgml/ref/drop_policy.sgml b/doc/src/sgml/ref/drop_policy.sgml
index 31ca9db220e..bd4ef5cf7ce 100644
--- a/doc/src/sgml/ref/drop_policy.sgml
+++ b/doc/src/sgml/ref/drop_policy.sgml
@@ -16,7 +16,7 @@ PostgreSQL documentation
 
  <refnamediv>
   <refname>DROP POLICY</refname>
-  <refpurpose>remove a row-security policy from a table</refpurpose>
+  <refpurpose>remove a policy from a table</refpurpose>
  </refnamediv>
 
  <refsynopsisdiv>
@@ -29,11 +29,11 @@ DROP POLICY [ IF EXISTS ] <replaceable class="parameter">name</replaceable> ON <
   <title>Description</title>
 
   <para>
-   <command>DROP POLICY</command> removes the specified row-security policy
-   from the table.  Note that if the last policy is removed for a table and
-   the table still has ROW POLICY enabled via <command>ALTER TABLE</command>,
-   then the default-deny policy will be used.  <command>ALTER TABLE</command>
-   can be used to disable row security for a table using
+   <command>DROP POLICY</command> removes the specified policy from the table.
+   Note that if the last policy is removed for a table and the table still has
+   row level security enabled via <command>ALTER TABLE</command>, then the
+   default-deny policy will be used.  <command>ALTER TABLE</command> can be used
+   to disable row level security for a table using
    <literal>DISABLE ROW SECURITY</literal>, whether policies for the table
    exist or not.
   </para>
@@ -80,8 +80,8 @@ DROP POLICY [ IF EXISTS ] <replaceable class="parameter">name</replaceable> ON <
   <title>Examples</title>
 
   <para>
-   To drop the row-security policy called <literal>p1</literal> on the
-   table named <literal>my_table</literal>:
+   To drop the policy called <literal>p1</literal> on the table named
+   <literal>my_table</literal>:
 
    <programlisting>
     DROP POLICY p1 ON my_table;
diff --git a/doc/src/sgml/rules.sgml b/doc/src/sgml/rules.sgml
index 66b3cc9bf2f..973db7435bc 100644
--- a/doc/src/sgml/rules.sgml
+++ b/doc/src/sgml/rules.sgml
@@ -2133,7 +2133,7 @@ SELECT * FROM phone_number WHERE tricky(person, phone);
 </para>
 
 <para>
-    When it is necessary for a view to provide row-level security, the
+    When it is necessary for a view to provide row level security, the
     <literal>security_barrier</literal> attribute should be applied to
     the view.  This prevents maliciously-chosen functions and operators from
     being invoked on rows until after the view has done its work.  For
-- 
cgit v1.2.3